HIPAA in the Time of Coronavirus
Group health plans and other entities covered by the Health Insurance Portability and Accountability Act of 1996 (HIPPA) should consider the bulletin released by the Department of Health and Human Services (Bulletin) as a reminder that their HIPAA obligations continue to apply even during a public health emergency, such as the Novel Coronavirus Disease (COVID-19) outbreak.
The Bulletin reiterates the circumstances under which HIPAA currently permits an individual’s protected health information (PHI) to be used and disclosed in an emergency situation and those circumstances applicable to group health plans are generally discussed below. Plan sponsors may want to review their group health plan’s use and disclosure procedures to confirm these permitted exceptions are correctly included.
Below are answers to some common questions about the intersection of HIPAA and COVID-19 in the group health plan context:
Can the group health plan disclose an individual’s COVID-19 diagnosis to the CDC or other state or local authorities?
In a public health emergency, PHI can be disclosed without an individual’s permission in certain cases when the disclosure is necessary to prevent or lessen a serious or imminent threat to the health and safety of a person or the public.
In addition, PHI may be disclosed to a public health authority, such as CDC or a state or local health department that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury or disability. The Bulletin notes: “[a] covered entity may disclose to the CDC protected health information on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have COVID-19.”
As a reminder, HIPAA limits disclosures to the minimum necessary to the purpose. When a public health authority such as CDC requests information on COVID-19 for the purpose of infectious disease reporting, the group health plan can rely on the government’s representations (if the reliance is reasonable) that the request meets the minimum necessary standard to meet the authority’s public health purpose.
Can an employer disclose an individual’s COVID-19 diagnosis to other employees or other people at risk (such as visitors to a job-site or conference attendees)?
PHI that is covered by HIPAA only includes information about health status, provision of health care, or payment for health care that is created or collected by a covered entity. Information which is obtained and held in an employer capacity is not covered by HIPAA. For example, if an employee tells an employer that the employee has tested positive for coronavirus and is self-quarantining, HIPAA does not protect that information. However, if that information came from the group health plan, it would be PHI and covered by HIPAA. As a result, the group health plan should not make the employer aware of an employee’s medical diagnosis.
When the group health plan has information about a COVID-19 diagnosis, HIPAA allows the plan to disclose PHI to persons at risk of contracting or spreading COVID-19 if otherwise authorized by law, without the individual’s authorization, during the period in which there is a public health emergency. The “minimum necessary” standard noted above still applies. If this type of disclosure is not otherwise required by law, an alternative would be to encourage the affected individual to voluntarily share the information with others who may have been exposed to the virus. Note that in this case, since the PHI originated with the group health plan, any communication with the employee should be from the group health plan and not from the employer.
However, the group health plan should not disclose the identity of the compromised employee. As noted by the CDC in its Interim Guidance For Businesses and Employers, “If an employee is confirmed to have COVID-19, employers should inform fellow employees of their possible exposure to COVID-19 in the workplace but maintain confidentiality as required by the Americans with Disabilities Act (ADA).”
Another option is for the group health plan to make a disclosure to the CDC or a similar state or local authority (to the extent permitted, as discussed above), and let the public health officials determine whether to contact other individuals who may have been exposed (such as coworkers).
What steps should an employer take to ensure HIPAA-compliance for employees who are working from home during the COVID-19 outbreak?
HIPAA’s security requirements for administrative, physical, and technical safeguards for e-PHI continue to apply to group health plans even during the COVID-19 outbreak.
As a result, it is important that individuals who are newly/recently authorized to work from home as a result of COVID-19 implement and use reasonable safeguards to protect PHI against intentional or unintentional impermissible uses and disclosures (such as adequate encryption on all devises, training on use of PHI offsite). It may also make sense to issue additional reminders about appropriate access and regularly review logs/tracking systems – in addition to the typical/existing risk analysis and written policy.
As a reminder, for those working from home, the policy should address the equipment, software and hardware requirements (for example: requiring the use of a VPN; encrypting PHI; requiring passwords to be changed), and the security and privacy requirements (such as training to address PHI that is used/moved offsite and accessed remotely and tracking PHI that is used/accessed offsite).
The Bulletin provides a limited waiver of certain sanctions and penalties related to the HIPAA privacy rule requirements for certain providers (and a similar waiver is in place related to telehealth activities) but to date no such waiver has been extended to group health plans. However, we expect that the HIPAA-compliance considerations with respect to the COVID-19 outbreak will continue to evolve given the rapidly changing work-environment, agency guidance, and public health response and recommendations. Until then, before disclosing any PHI, a group health plan should exercise caution and consult with legal counsel to confirm that a use or disclosure will not constitute a HIPAA violation.